Hi Martin,
At the rule 31115, we look for long URLs, but we only alert when they
are higher than 2900 characters.
What was the size of these URLs? Were they "bad" indeed?
<rule id="31115" level="13" maxsize="2900">
<if_sid>31100</if_sid>
<description>URL too long. Higher than allowed on most </description>
<description>browsers. Possible attack.</description>
<group>invalid_access,</group>
</rule>
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sat, Jun 7, 2008 at 7:43 AM, Martin West <[EMAIL PROTECTED]> wrote:
>
>
> I am seeing this in logwatch
>
> http://images.google.de/imghp?ie=UTF-8&oe= ... hl=de&tab=wi&q=:
> 1 Time(s)
> http://www.ukfinanceinfo.co.uk/prx1.php?ha ... 64FC0DD1E47BB90: 2
> Time(s)
> http://www.wantsfly.com/prx1.php?hash=E1ED ... 64FC0DD1E47BB90: 1
> Time(s)
>
> but no alerts from ossec, thoughts?
>
>
> --
> regards
> Martin West
> 07879 680096
>
>
